Serving to LAN or internet

Security Implications

I've written a number of tutorials about connecting things to the internet. And those activities are a lot of fun. Just keep in mind that you have to "open your door" to let things in from the internet. Be careful that you don't open it too wide.

First a bit of good news: If you are just getting started with publishing things on the internet, the rest of this page is probably not important to you. It is important to people who are setting up a server connected to the same connection to the internet as they use for browsing, email, etc.

If you are building a blog, or publishing some web pages which have to be uploaded to a server which is on a different internet connection that your own, then there are things to be careful about... especially, publish as little personal information as you can!... but you are not exposed to the perils this page talks about.

Still on the topic of what this page is not about. Let's say you use Comcast to connect to the interent. And let's say your account allows you to post web pages... but you upload them to a computer owned by Comcast to make them available to the world. The warnings here are not for you.

If whatever service you are considering building would die if something on your LAN was unplugged, then these warning are for you!

Don't hate me?

Thank you for reading this far.

I'm afraid I do not know nearly as much as I would like to about properly securing a system which grants some access to the outside world.

I'd like to tell you "do this, this and this, and you will be safe."

Well... I can't. (And I don't think anyone else can, either.)

I can tell you: Be paranoid. Skype used to tell us how many people were connected at any given time, which was fun. And it was usually millions of people.

A million is a big number. Bear with me a moment....

Let's say that all the bad people in the world are in the USA, only 1 internet user in the world is in the USA.

Let's say that only men are bad, and only men aged 15-25. And let's say that group in 1 in every hundred of internet users.

Let's say that only people named Fred are bad. And that 1 person in a thousand is named Fred.

So... "bad people" are: From the US, men, aged 15-25, named Fred.

Finally, we'll stipulate that only 10 million people total are able to access the internet.

How many bad people does that mean you are exposing yourself to, if you "open the door" of your system?

Ten.

Doesn't seem like many? When you finish reading this paragraph, stop using your computer... immediately... and do not use it again for an hour. If a Bad Man compromises your system through the door you opened, it will be more than an hour before your system is up and running again... if you are lucky. And you won't have all of the files that were on it before the crash. And another thing: The worst infections today are transparent. You do not know that you have an infection, but your computer is running slowly because Bad Men are using it for serious crime. Bad Men are watching, waiting for you to put in, say, the password for accessing your bank account. There are still stupid kiddies out there who, in an earlier age, threw bricks through windows. They may trash your system for you. But they are not as motivated, and are not as technically advanced as the criminal hackers.

Stop using your computer now for one hour.

So... I hope you enjoyed your computerless hour? If you decide that you really want to go ahead with connecting a server to the internet: Good! You can have a lot of fun. But remember the need to be careful. The mind bogglong number of people connected to the internet means that, sad to say, there are Bad People who will have access if you are careless... or if another flaw in Windows, or even Linux or the MAC OS lets them in.

Enough of the "Why"! What about the "How"?

Have a good anti-malware package in place.

While you should only have one anti-virus program running, you can, and should, have at least two firewalls in place. Your router should include a built in firewall. Your anti-malware software should have a firewall component.

(You can't have two anti-virus programs running because they will "fight" one another, as well as any malware which appears at your door. It is usually also a bad idea to have both the Windows software firewall and a third party software firewall running in one machine.)

Study your anti-malware and firewall settings. "Stuff happens". Were you forced to turn something off to install some software? (This should rarely be necessary... but sometimes it is, and more often lazy software vendors ask you to put yourself at risk to make their lives simpler.) Did you turn it back on again?!

Anti-malware and firewalls are not "all or nothing". If you are setting up, say, the Apache web-server (or a different one), it's settings are not "all or nothing".

Work as hard as you can to shut down, lock up, close any "doors" which you do not need open.

Try to take a "close everything except..." approach. You will need to allow certain services and ports to be used... but "lock up" as many as you can. Note I said "services" and "ports". Both can be controlled via firewalls and anti-malware software. If you don't need a service, don't need a port, lock it down.

As I said... I wish I could "tell you the answer". But please at least keep asking the question... "Is my security tight enough"? And keep looking for good advice on the subject.

Page tested for compliance with INDUSTRY (not MS-only) standards, using the free, publicly accessible validator at validator.w3.org. An early draft of the page was valid apart from several things inside the code to embed the video clip of the ocelots.